ESCALATED: 2FA not enforced on /profile/applications

HackerOne report #691477 by brdoors3 on 2019-09-10, assigned to hackerjuan:

Hi team,

I found one access control related to your feature 'Enforcing 2FA for all users' on https://gitlab.com/

POC

1 access one group and enforce the 2FA for all users

In this test I used one grace period of 1 hour

2 after 1 hour access again https://gitlab.com

The user will be redirected to https://gitlab.com/profile/two_factor_auth

3 try to access some other areas

All pages redirect to https://gitlab.com/profile/two_factor_auth (expected behavior)

4 access https://gitlab.com/profile/applications

The 2FA is not enforced on this page. I can create and delete applications without any 2FA active

POC video attached

Impact

In this scenario after grace period has elapsed one user can access and make any change on https://gitlab.com/profile/applications

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

• gitlab.PNG
• gitlab_poc.mp4